Re: How-to secure PosixAccount attr ?

[paul kölle <paul@subsignal.org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

FM wrote:
| Thank you,
|
| I already have this in my slapd.conf :
|
| saslRegexp
|   uid=(.*),cn=REALM,cn=gssapi,cn=auth
|   uid=$1,ou=People,dc=domain,dc=com
|
| but the main prob is when you do a whoami on id user, the ldap server
| log showed a anonymous bind (BIND="") ans after several tests, I saw
| that it's the BIND from the /etc/ldap.conf. Is there a way that it send
| my BIND instead the one in the ldap.conf

I see, this is OT as it is an nss_ldap issue but you can try to set
the following in you /etc/ldap.conf:

use_sasl on
pam_sasl_mech GSSAPI

#sasl_auth_id nssldap/my.domain
#krb5_ccname FILE:/tmp/krb5cc_nssldap

Note the two commented statements, it looks like it is possible to use a
proxy ID (sasl_auth_id) for all binds but if you need the ID of the
person trying to access your directory it's probably not very useful
here. I made a few tests with the above settings and it worked pretty
well. One thing however, you need a valid ticket before binding,
otherwise you will have the "I have no name!" prompt...but i digress ;)

hth
~ Paul
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBuejSZMF3PJg2BX4RAgZUAKDjFMbaQSyElQzLyemwpTzzfPi1MwCdHtkL
3O7vXAXwcTYj7DaG5uKZjCE=
=N2I5
-----END PGP SIGNATURE-----